Privacy Bill Essentials: An Update on the Colorado Privacy Act
Update: Governor Jared Polis signed the Colorado Privacy Act on July 8, 2021.
On June 8, 2021, the Colorado legislature passed the Colorado Privacy Act (CPA). Since we first reported on its introduction, the CPA has undergone a number of revisions. Initial amendments made the CPA more business-friendly. Recent amendments, however, have been pro-consumer. For example, the Senate's final version of the CPA restored the opt-in requirement for controllers to obtain consent from consumers before collecting sensitive data, which the Business, Labor & Technology Committee had replaced in favor of a notice and opt-out standard.
The Senate modified the following provisions of the CPA:
- "Consent" is modified and defined as a "clear, affirmative act signifying a consumer's freely given, specific, informed and unambiguous agreement, such as a written statement, including by electronic means or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data relating to the consumer for a narrowly defined particular purpose."
- Consent does not include acceptance of "general or broad terms of use," passive acceptance such as "hovering over, muting, pausing, or closing" content, or an "agreement obtained through dark patterns."
- "Dark patterns" refers to a "user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice."
- The definition of "sale" no longer applies only to licensing or selling to third parties.
- The "right to deletion" no longer applies only to data "provided to the controller."
- The CPA no longer contains any reference to "pseudonymous data."
- Consent does not include acceptance of "general or broad terms of use," passive acceptance such as "hovering over, muting, pausing, or closing" content, or an "agreement obtained through dark patterns."
The Senate added the following new provisions to the CPA:
- A relationship between a processor and controller must be governed by a contract abiding by the requirements laid out in the CPA.
- Controllers have 60 days to cure any violation. This provision will be repealed on January 1, 2025.
- Controllers must "provide a clear and conspicuous method to exercise the right to opt-out of the processing" of personal data used for targeted advertising or sale.
- Effective January 1, 2024, controllers processing personal data for targeted advertising or sale must allow consumers to opt-out of processing through a "user-selected universal opt-out mechanism." Technical specifications and regulations for this mechanism will be rolled out through the Attorney General by December 31, 2023.
Final Amendments in the House
The CPA was introduced in the House and assigned to the House Committee on Finance on May 27, 2021. The House Finance Committee, as well as the House Committee of the Whole, made a handful of amendments to the bill, including:
- Restoring to the definition of "pseudonymous data" and providing that rights within the bill do not apply to such data;
- Restating that the CPA does not provide for a private right of action;
- Providing that the CPA does not apply to data maintained by a "state institution of higher education" and various other state and governmental entities; and
- Allowing the Attorney General to adopt rules covering the issuance of opinion letters and interpretative guidance beginning on January 1, 2025.
If signed into law by the Governor, the CPA will be effective on July 1, 2023.